Merge commit from fork

Signed-off-by: Jan Larwig <jan@larwig.com>
2026-04-13 18:20:36 +02:00 · 2026-04-13 18:20:36 +02:00 · 43596a7bab
parent 0337a95fc6
commit 43596a7bab
3 changed files with 39 additions and 13 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -11,6 +11,7 @@
 - [#3411](https://github.com/oauth2-proxy/oauth2-proxy/pull/3411) chore(deps): update gomod dependencies (@tuunit)
 - [#3333](https://github.com/oauth2-proxy/oauth2-proxy/pull/3333) fix: invalidate session on fatal OAuth2 refresh errors (@frhack)
 - [GHSA-f24x-5g9q-753f](https://github.com/oauth2-proxy/oauth2-proxy/security/advisories/GHSA-f24x-5g9q-753f) fix: clear session cookie at beginning of signinpage handler (@fnoehWM / @bella-WI / @tuunit)
+- [GHSA-5hvv-m4w4-gf6v](https://github.com/oauth2-proxy/oauth2-proxy/security/advisories/GHSA-5hvv-m4w4-gf6v) fix: health check user-agent authentication bypass (@tuunit)

 # V7.15.1

--- a/pkg/middleware/healthcheck.go
+++ b/pkg/middleware/healthcheck.go
@ -43,10 +43,13 @@ func healthCheck(paths, userAgents []string, next http.Handler) http.Handler {

 func isHealthCheckRequest(paths, userAgents map[string]struct{}, req *http.Request) bool {
 	if _, ok := paths[req.URL.EscapedPath()]; ok {
-		return true
-	}
-	if _, ok := userAgents[req.Header.Get("User-Agent")]; ok {
-		return true
+		if len(userAgents) == 0 {
+			return true
+		}
+
+		if _, ok := userAgents[req.Header.Get("User-Agent")]; ok {
+			return true
+		}
 	}
 	return false
 }
--- a/pkg/middleware/healthcheck_test.go
+++ b/pkg/middleware/healthcheck_test.go
@ -45,6 +45,16 @@ var _ = Describe("HealthCheck suite", func() {
 			healthCheckPaths:      []string{"/ping"},
 			healthCheckUserAgents: []string{"hc/1.0"},
 			requestString:         "http://example.com/ping",
+			headers: map[string]string{
+				"User-Agent": "hc/1.0",
+			},
+			expectedStatus: 200,
+			expectedBody:   "OK",
+		}),
+		Entry("when requesting the healthcheck path with no health check user agents configured", &requestTableInput{
+			healthCheckPaths:      []string{"/ping"},
+			healthCheckUserAgents: []string{},
+			requestString:         "http://example.com/ping",
 			headers:               map[string]string{},
 			expectedStatus:        200,
 			expectedBody:          "OK",
@ -85,15 +95,25 @@ var _ = Describe("HealthCheck suite", func() {
 			expectedStatus: 404,
 			expectedBody:   "404 page not found\n",
 		}),
-		Entry("with a request from the health check user agent", &requestTableInput{
+		Entry("with a request from the health check user agent on a non-healthcheck path", &requestTableInput{
 			healthCheckPaths:      []string{"/ping"},
 			healthCheckUserAgents: []string{"hc/1.0"},
 			requestString:         "http://example.com/abc",
 			headers: map[string]string{
 				"User-Agent": "hc/1.0",
 			},
-			expectedStatus: 200,
-			expectedBody:   "OK",
+			expectedStatus: 404,
+			expectedBody:   "404 page not found\n",
+		}),
+		Entry("when an auth_request endpoint receives the configured health check user agent", &requestTableInput{
+			healthCheckPaths:      []string{"/ping"},
+			healthCheckUserAgents: []string{"GoogleHC/1.0"},
+			requestString:         "http://example.com/oauth2/auth",
+			headers: map[string]string{
+				"User-Agent": "GoogleHC/1.0",
+			},
+			expectedStatus: 404,
+			expectedBody:   "404 page not found\n",
 		}),
 		Entry("when a blank string is configured as a health check agent and a request has no user agent", &requestTableInput{
 			healthCheckPaths:      []string{"/ping"},
@ -107,9 +127,11 @@ var _ = Describe("HealthCheck suite", func() {
 			healthCheckPaths:      []string{"/ping", "/liveness_check", "/readiness_check"},
 			healthCheckUserAgents: []string{"hc/1.0"},
 			requestString:         "http://example.com/readiness_check",
-			headers:               map[string]string{},
-			expectedStatus:        200,
-			expectedBody:          "OK",
+			headers: map[string]string{
+				"User-Agent": "hc/1.0",
+			},
+			expectedStatus: 200,
+			expectedBody:   "OK",
 		}),
 		Entry("with multiple paths, request none of the healthcheck paths", &requestTableInput{
 			healthCheckPaths:      []string{"/ping", "/liveness_check", "/readiness_check"},
@ -121,15 +143,15 @@ var _ = Describe("HealthCheck suite", func() {
 			expectedStatus: 404,
 			expectedBody:   "404 page not found\n",
 		}),
-		Entry("with multiple user agents, request from a health check user agent", &requestTableInput{
+		Entry("with multiple user agents, request from a health check user agent on a non-healthcheck path", &requestTableInput{
 			healthCheckPaths:      []string{"/ping"},
 			healthCheckUserAgents: []string{"hc/1.0", "GoogleHC/1.0"},
 			requestString:         "http://example.com/abc",
 			headers: map[string]string{
 				"User-Agent": "GoogleHC/1.0",
 			},
-			expectedStatus: 200,
-			expectedBody:   "OK",
+			expectedStatus: 404,
+			expectedBody:   "404 page not found\n",
 		}),
 		Entry("with multiple user agents, request from none of the health check user agents", &requestTableInput{
 			healthCheckPaths:      []string{"/ping"},